White House unveils cybersecurity standards for private businesses

The White House on Wednesday released the final version of the voluntary cybersecurity standards that President Barack Obama called for the creation of exactly one year ago in an effort to reduce risks to the United States’ critical infrastructure.

But after 12 whole months of development, tech experts aren’t
sure if the latest effort to strengthen cybersecurity among the
players involved in the nation’s power sector, telecommunications
sphere and other at-risk realms meets what they think is
warranted.

During his 2013 State of the Union address, Pres. Obama acknowledged that earlier that day he signed an
executive order intended to strengthen the
country’s cyber defenses “by increasing information sharing
and developing standards to protect our national security, our
jobs and our privacy.” That executive order compelled the
director of the National Institute of Standards and Technology,
or NIST, to develop a framework intended to help entities reduce
cyber risks faced by the nation’s most crucial assets. Government
officials announced one year to the day that they were ready to
begin rolling-out those standards to interested industry partners
during a White House press conference on Wednesday.

“Threats are becoming more sophisticated,” White House
Chief of Staff Denis McDonough said during the event that
afternoon, and “…the only way to address these threats
effectively is through a true partnership between the government
and the private sector.” Soon, however, participation in the
program is expected to be mandated among government contractors.

When the president signed the order last February, he warned that
the threat from cyberattacks has worsened in recent years and
cited money-hungry hackers and malicious foreign nation-states as
being among the biggest culprits behind attacks on America’s
computer systems. One year later that threat has arguably only
intensified — especially in light of the recent security breaches
suffered at the hands of Target, Neiman Marcus and others — and
the Obama administration hopes that companies that consider
adopting the new framework will find themselves less likely to be
brought down by highly-skilled hackers.

The framework, its authors write, “uses a common language to
address and manage cybersecurity risk in a cost-effective way
based on business needs without placing additional regulatory
requirements on businesses.” According to its executive
summary it “enables organizations – regardless of size,
degree of cybersecurity risk or cybersecurity sophistication – to
apply the principles and best practices of risk management to
improving the security and resilience of critical
infrastructure” by providing “organization and structure
to today’s multiple approaches to cybersecurity by assembling
standards, guidelines and practices that are working effectively
in industry today.”

Over the course of 47 pages, the document outlines a framework
composed of five core functions — identify, protect, deter,
respond and recover — intended to provide participating entities
with a strategic view of how they match up against varying levels
of attack. Elsewhere it shows participants how to align with best
practices crucial to protecting the systems of critical
infrastructure components, and how those groups can manage
themselves to assess all sorts of potential risks.

Critical infrastructure, as defined in that report, is composed
of “systems and assets, whether physical or virtual, so vital
to the United States that the incapacity or destruction of such
systems and assets would have a debilitating impact on security,
national economic security, national public health or safety or
any combination of those matters,” and includes private
sector businesses ranging from telecommunication providers to
utility companies.

The framework announced this week doesn’t require any companies
or corporations to sign on, however, and absent monetary incentives it could make little difference in
coercing cooperation from the private sector.

Originally, the US government considered actions that would have
awarded companies that follow the framework by providing
assistance in acquiring the upgrades required to wrestle against
cyberattacks. That offer has been erased from the finalized
framework, however, much to the chagrin of some who saw those
measures as a way to attract otherwise unwilling participants
that aren’t interested in adopting purely voluntary standards.

“Six months ago the message we were hearing is that
incentives were coming,” Robert Dix, vice president of
government affairs for California's Juniper Networks told
Bloomberg BusinessWeek in a recent telephone interview. “Virtually nothing has been
done to move the needle on any incentives that are going to be
economic motivators for investments.”

“If the framework isn’t cost effective and isn’t supported by
incentives, it’s hard to see how it can work on a sustainable
basis,” added Larry Clinton, the president of the Internet
Security Alliance, which represents General Electric, among
others.

Indeed, Dix and Clinton’s trade group are not alone. On Tuesday
this week, the Information Technology Industry Council — which
includes Apple, Google, IBM, Intel and Symantec — released a
statement which in part objected to the lack of incentives being
offered a year after they were all but assured.

“Given limited fiscal resources and the complexity of
incentives, including the necessary involvement of multiple
stakeholders including Congress, it is highly unlikely any will
be available at, or immediately following, the February 2014
launch” of the framework, that group said.

Others have applauded the framework, albeit while still
expressing some reservations about the final report.

"The voluntary cybersecurity framework provides a number of
useful guideposts for companies who want to better secure their
data," Greg Nojeim of the DC-based Center for Democracy and
Technology wrote in a statement released Wednesday
afternoon. "The framework will be useful to companies and
their privacy officers, because it will remind them that
processes should be put in place to deal with the privacy issues
that arise in the cybersecurity context."

"However, we are concerned that the privacy provisions in the
framework were watered down from the original draft," added
Nojeim. "We would have preferred a framework that requires
more measurable privacy protections as opposed to the privacy
processes that were recommended. As the framework is implemented,
we are hopeful that such privacy protections are further
developed and become standardized."

Even Michael Chertoff, the former secretary of the Department of
Homeland Security under President George W. Bush, told POLITICO last week that he thinks the
framework lacks the necessary support from other aspects of the
US government. Without that, he said, it might not be enough to
protect critical infrastructure components.

“Either Congress will have to really put some muscle behind
it, or the regulators … will have to pick up the baton,”
said Chertoff. “I wouldn’t say we’re at the end of the
journey.”

Even those unwilling to adopt the voluntary standards will have
other options to protect their computers, though. Current DHS
Secretary Jeh Johnson announced during Wednesday’s conference
that his office has established the Critical Infrastructure Cyber
Community Voluntary Program, or C-Cubed, to give companies that
provide critical services like cell phone, email, banking and
energy free and direct access to cyber security experts within
the DHS who have knowledge about specific threats facing the
country, as well as ways to counter those threats and recover.

“The C-Cubed Voluntary Program will serve as a point of
contact and customer relationship manager to assist organizations
with framework use, and guide interested organizations and
sectors to DHS and other public and private sector resources to
support use of the Cybersecurity Framework,” Johnson’s
department said in a statement published on Wednesday.